思唯网络——IPSEC VPN在工程中的应用（完结篇）

(1.8~1.10)
1.8 配置后的结果
通过Router#show ip ipsec sa 以及show ip isakmp sa 来查看当前建立 VPN隧道后数据流穿越的情况。
1.1.1在PIX中的结果
pixfirewall# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 34.34.34.3
Type    : L2L             Role    : responder
Rekey   : no              State   : MM_ACTIVE

2.pixfirewall# show ipsec sa
interface: outside
Crypto map tag: cisco, seq num: 10, local addr: 35.35.35.3
access-list nat0 permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.11.0/255.255.255.0/0/0)
current_peer: 34.34.34.3
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 35.35.35.3, remote crypto endpt.: 34.34.34.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 44D064A6
inbound esp sas:
spi: 0x9296DA19 (2459359769)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4274999/3582)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x44D064A6 (1154507942)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4274999/3582)
IV size: 8 bytes
replay detection support: Y
1.1.2在北京Gateway路由器上的结果
1.BJ#show cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
35.35.35.3      34.34.34.3      QM_IDLE           1001    0 ACTIVE
IPv6 Crypto ISAKMP SA

2.BJ#show cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: cisco, local addr 34.34.34.3
protected vrf: (none)
local  ident (addr/mask/prot/port): (172.16.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
current_peer 35.35.35.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 34.34.34.3, remote crypto endpt.: 35.35.35.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x9296DA19(2459359769)
inbound esp sas:
spi: 0x44D064A6(1154507942)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4408434/2389)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9296DA19(2459359769)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4408434/2388)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

1.2测试太原总公司和北京分公司的连通性
1.2.1北京分公司到总公司的流量
BJ#ping 172.16.10.1 source 172.16.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/59/88 ms

1.2.2太原总公司到北京分公司的流量
inside#ping 172.16.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/56/104 ms

(完结）